Env Fallback Secret

Secret env vars with hardcoded fallback values

criticalSecurityenv-fallback-secret

Why this matters

A hardcoded fallback means the app runs with a known secret when the env var is missing. In production, this is a backdoor. Locally, it hides misconfiguration.

✗ Bad

const apiKey = process.env.API_KEY || "sk_default_key_123";
const dbUrl = process.env.DATABASE_URL
  ?? "postgres://admin:password@localhost/db";

✓ Good

const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error("API_KEY is required");

const dbUrl = process.env.DATABASE_URL;
if (!dbUrl) throw new Error("DATABASE_URL is required");

How to fix

Never provide fallback values for secrets. Fail fast with a clear error message if a required env var is missing.

All rules